Internet Draft M. Boesgaard, M. Vesterager, E. Zenner
Cryptico A/S
November 22, 2005
This document expires May 22, 2006
A Description of the Rabbit Stream Cipher Algorithm<draft-zenner-rabbit-02.txt>
IPR Statement
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Draft Boilerplate
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
Abstract
This document describes the encryption algorithm Rabbit. It is a
stream cipher algorithm with a 128-bit key and 64-bit IV. The method
was published in 2003 and has been subject to public security and
performance revision. Its high performance makes it particularly
suited for the use with internet protocols where large amounts of
data have to be processed.
Boesgaard et al. Informational [page 1]

INTERNET DRAFT Rabbit Encryption November 2005
1. Introduction
Rabbit is a stream cipher algorithm that has been designed for high
performance in software implementations. Both key setup and
encryption are very fast, making the algorithm particularly suited
for all applications where large amounts of data or large numbers of
data packages have to be encrypted. Examples include, but are not
limited to, server-side encryption, multimedia encryption, hard-disk
encryption, and encryption on limited-resource devices.
The cipher is based on ideas derived from the behavior of certain
chaotic maps. These maps have been carefully discretized, resulting
in a compact stream cipher. Rabbit has been openly published in 2003
[1] and has not displayed any weaknesses to the time of this writing.
To ensure ongoing security evaluation, it was also submitted to the
ECRYPT eSTREAM project[2].
Technically, Rabbit consists of a pseudorandom bitstream generator
that takes a 128-bit key and a 64-bit initialization vector (IV) as
input and generates a stream of 128-bit blocks. Encryption is
performed by combining this output with the message, using the
exclusive-OR operation. Decryption is performed in exactly the same
way as encryption.
Further information about Rabbit, including reference implementation,
test vectors, performance figures, and security white papers, is
available from http://www.cryptico.com/.
2. Algorithm Description2.1 Notation
This document uses the following elementary operators:
+ integer addition.
* integer multiplication.
div integer division.
mod integer modulus.
^ bitwise exclusive-OR operation.
<<< left rotation operator.
|| concatenation operator.
When labeling bits of a variable A, the least significant bit is
denoted by A[0]. The notation A[h..g] represents bits h through g of
variable A, where h is more significant than g. Similar variables
are labeled by A0,A1,..., with the notation A(0),A(1),... being used
to denote those same variables if this improves readability.
Given a 64-bit word, the function MSW extracts the most significant
32 bits, while the function LSW extracts the least significant 32
bits.
Boesgaard et al. Informational [page 2]

INTERNET DRAFT Rabbit Encryption November 2005
2.7 Extraction Scheme
After the key and IV setup are concluded, the algorithm is iterated
in order to produce one 128-bit output block S per round. Each round
consists of executing steps 2.5 and 2.6 and then extracting an output
S[127..0] as follows:
S[15..0] = X0[15..0] ^ X5[31..16]
S[31..16] = X0[31..16] ^ X3[15..0]
S[47..32] = X2[15..0] ^ X7[31..16]
S[63..48] = X2[31..16] ^ X5[15..0]
S[79..64] = X4[15..0] ^ X1[31..16]
S[95..80] = X4[31..16] ^ X7[15..0]
S[111..96] = X6[15..0] ^ X3[31..16]
S[127..112] = X6[31..16] ^ X1[15..0]
2.8 Encryption / Decryption Scheme
Given a 128-bit message block M, encryption E and decryption M' are
computed via
E = M ^ S and
M' = E ^ S.
If S is the same in both operations (as it should if the same key and
IV are used), then M = M'.
The encryption/decryption scheme is repeated until all blocks in the
message have been encrypted/decrypted. If the message size is not a
multiple of 128 bit, only the needed amount of least significant bits
from the last output block S is used for the last message block M.
In case the application requires the encryption of smaller blocks (or
even individual bits), a 128-bit buffer is used. The buffer is
initialized by generating a new value S and copying it into the
buffer. After that, all data blocks are encrypted using the least
significant bits in this buffer. Whenever the buffer is empty, a new
value S is generated and copied into the buffer.
3. Security Considerations
For an encryption algorithm, the security provided is of course the
most important issue. No security weaknesses have been found to
date, neither by the designers nor by independent cryptographers
scrutinizing the algorithms after its publication in [1]. Note that a
full discussion of Rabbit's security against known cryptanalytic
techniques is provided in [3].
In the following, we restrict ourselves to some rules on how to use
the Rabbit algorithm properly.
Boesgaard et al. Informational [page 5]